from Hacker News

Ask HN: My full name and address are in a spam email, sent to my iFit mail alias

by appel on 3/27/23, 7:51 PM with 24 comments

Sorry for the weirdly worded title, had to cram a lot in there whilst staying below the char limit.

My wife and I have been subscribed to the iFit family plan for about three years. I just received an obvious spam message, but the concerning thing is that it was sent to the gmail alias I exclusively use for iFit (myname+ifit.com@gmail.com), and the body contains my full name and address. Luckily, the phone number is not correct.

https://i.imgur.com/U3vptQq.png

Am I right to be a little freaked out about this? Or is there a perfectly good explanation?

Edit: When I think about it there are quite a few ways this could have happened.

- iFit sold my data (unlikely but not unprecedented)

- My iFit account was compromised

- My Bitwarden account was compromised

- My Gmail account was compromised

- My computer was compromised?

- The data in the spam message was compiled from a few different sources.

  • by notahacker on 3/27/23, 9:13 PM

    Given the targeted nature of the email (fake fitness related invoice associated with email address used by fitness service) it looks like someone's ended up with a long list of iFit user details, almost certainly via illicit means

  • by paxys on 3/28/23, 12:48 AM

    My guess – iFit sold your data in the advertising and tracking market, which you allowed by signing their ToS. Over there it was exchanged between many faceless data brokers, credit agencies, banks, advertisers and more, again fully legally. Pretty much everyone reading this thread and using the internet in general has their personal info floating around in such markets.

    From there, your specific bit of data took a path that was, whether knowingly or unknowingly, leaked/sold to someone running outright phishing scams. This part is rare, because the data is a valuable commodity and using it for such pointless (and illegal) purposes would be counter to the best interests of everyone in these ecosystems.

    How serious is it? Well, there are people out there with all the info you put in your iFit account. How severe you consider that depends on a bunch of factors, and could be different for everyone.

  • by jonaldomo on 3/27/23, 8:40 PM

    Not sure why you think it's unlikely, they told you they would in their privacy policy.

    "We may disclose or share your personal data to entities other than iFIT for a business purpose"

    https://www.ifit.com/privacy-policy

  • by transcriptase on 3/27/23, 9:51 PM

    More than likely iFit.

    I don't think they're doing so hot after the Peloton lawsuit, and anecdotally getting their support to answer a simple email takes months. My last conversation with them by phone basically ended with the agent saying "go ahead and initiate a charge-back with your credit card, because even though you should be refunded my hands are tied".

  • by TAKEMYMONEY on 3/28/23, 1:58 PM

    I've gotten a LOT of these, either your data was sold or compromised. Easy to spot where the data came from because they are sent to masked email addresses (notice they sent it to your `+ifit` address) which makes me think iFit was compromised (not Gmail).

    Change your password and email for iFit, poison your data (put in fake names/info if you can). Search your email at the haveibeenpwned website and it will return any data leaks it was a part of.

    If you're into scam-baiting, call the number (ideally with a fake/VOIP number) they provided and play along with the scam until they realize you're bullshitting. Do it enough times and your email is removed from their spam list. For extra fun, post the number to r/scambait and they will be inundated with calls for a while.

  • by ehPReth on 3/27/23, 10:40 PM

    I had something like this happen with a VoIP provider (I don't quite know how to describe them, but they're like Twilio where you can 'code the phone' sort of thing) and my unique email address. Reported it to them out of concerns their system was breached, explained the unique email address situation and was given nothing but denial in return and ultimately got nowhere.

    Sucks, but I guess it is what it is :/. This was a while ago so it's fuzzy but I just ended up not using them anymore/not going forward with them.

  • by ectospheno on 3/28/23, 2:01 AM

    Most US states publish property tax information. This includes the full name of the property owners, their full address, the amount of property tax levied, and the purchase price of the home. So none of that information should be considered private. Phone numbers were also quite public in the phone book days of my childhood. Cell phones changed this a bit but I wouldn’t consider them private either. Food for thought.

  • by DamonHD on 3/27/23, 8:09 PM

    I think that you are right to be concerned.

  • by hulitu on 3/28/23, 6:51 AM

    Your privacy is very important for us. (i.e. we make a lot of money out of it). /s

    Google is not privacy.